Hello Francesco, Thanks for your quick response. I was talking about this case:
2. during any update including new resource subscription I have checked AbstractPropagationTaskExecutor class, and in method createOrUpdate (in 2 case) it seems that__PASSWORD__ parameter not propagated. In cases 1 and 3 it is passed in attributes set, but not in 2. This is before any tasks are executed on connector object, so it behaves the same way, no matter which connector is used. In case 1 and 3 password is propagated in clean text (in GuardedString instance), because new password was supplied during the process (create new user or update password). But in case 2, there is only access to hashed password value from database. Maybe this is because of the version I am using? Or some misconfiguration? I would appreciate your help on that. Thanks once more! :) Regards, Marcin 2013/8/28 Francesco Chicchiriccò <[email protected]> > On 28/08/2013 08:57, Marcin Sośnicki wrote: > > Hello, > > I have a question regarding password propagation (I am using Syncope * > 1.2.0*-*SNAPSHOT)*. My flow is as follows: > 1) Create user in Syncope, without external resources > 2) Edit user (without editing password) > 3) Add external resource > 4) Save user > > With this flow, user is created in external resource without password. > What is the right way to go through flow like this? Assuming that password > in Syncope and external resource are hashed using different algorithms, > there is no way to get the right value while editing without password > change. I would appreciate your help, I had some ideas how to solve this > (same password encryption for example, and propagation of hashed password) > but first I would like to know what you think about this.. > > > Hi Marcin, > first of all, is there any specific reason why you are working with > 1.2.0-SNAPSHOT? I'd suggest to go with stable branch (Ad libitum - latest > 1.1.3). > > Coming to your questions, consider that passwords are propagated from > Syncope to external resources in the following cases: > 1. during creation (if any resource was selected) > 2. during any update including new resource subscription > 3. during any update when password was requested to be updated on some > specific resources > > In any case, however, the password is not hashed before propagation but > instead sent, via the configured ConnId connector, as GuardedString [1]. > At this point different connector bundles operate differently: the DB > table [1] and LDAP [2] connectors, for example, provide specific > configuration parameters (respectively "Password cipher algorithm" and > "passwordHashAlgorithm") to be used when hashing passwords - locally to > resource. > > Regards. > > [1] > http://tirasa.github.io/ConnId/apidocs/base/org/identityconnectors/common/security/GuardedString.html > [2] https://connid.atlassian.net/wiki/display/BASE/Database+Table > [3] https://connid.atlassian.net/wiki/display/BASE/LDAP > > -- > Francesco Chicchiriccò > > ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC > Memberhttp://people.apache.org/~ilgrosso/ > >
